summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-06-14 16:26:57 +0000
committerGerrit Code Review <review@openstack.org>2017-06-14 16:26:57 +0000
commit12aaefa939974fe9970cff4e3f933d8411a9fa91 (patch)
tree0046b0d7b06d858a7e3029f3db3a650b0e466a81
parentdfdfc00312a60413daec62aa9cf7442db52605d9 (diff)
parent350e1a81dd559581bcf643e5a87ad89d6a9c0e5d (diff)
Merge "Enable heat/puppet to manage the fernet keys and make it configurable"
-rw-r--r--puppet/services/keystone.yaml10
-rw-r--r--releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml6
2 files changed, 15 insertions, 1 deletions
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 57e3286a..af494016 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -122,6 +122,14 @@ parameters:
KeystoneFernetKeys:
type: json
description: Mapping containing keystone's fernet keys and their paths.
+ ManageKeystoneFernetKeys:
+ type: boolean
+ default: true
+ description: Whether TripleO should manage the keystone fernet keys or not.
+ If set to true, the fernet keys will get the values from the
+ saved keys repository in mistral (the KeystoneFernetKeys
+ variable). If set to false, only the stack creation
+ initializes the keys, but subsequent updates won't touch them.
KeystoneLoggingSource:
type: json
default:
@@ -258,7 +266,7 @@ outputs:
'/etc/keystone/credential-keys/1':
content: {get_param: KeystoneCredential1}
keystone::fernet_keys: {get_param: KeystoneFernetKeys}
- keystone::fernet_replace_keys: false
+ keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
keystone::debug:
if:
- service_debug_unset
diff --git a/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml
new file mode 100644
index 00000000..64a4d7e7
--- /dev/null
+++ b/releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - This introduces the ManageKeystoneFernetKeys parameter, which tells
+ heat/puppet if it should replace the existing fernet keys on a stack
+ deployment or not. This is useful if the deployer wants to do key rotations
+ out of band.